The invention relates to an electric arrangement, comprising: (a) functional modules, which can serve both as transaction initiators or transaction targets, whereby a transaction initiating functional module may need a transaction target functional module to execute a function for and on its behalf; (b) a first interconnect fabric connecting the functional modules and providing communication between those functional modules; wherein the (electric) arrangement being arranged in that a selected transaction initiation functional module has temporally exclusive access to transaction target functional module(s), executing a function for and on its behalf, to ensure that transaction initiating functional modules other than the selected transaction initiation functional module, have no uncontrolled access thereto, wherein said selected transaction initiation functional module being a hardware secure module.

An apparatus to facilitate scalable runtime validation for on-device design rule checks is disclosed. The apparatus includes a memory to store a contention set, one or more multiplexors, and a validator communicably coupled to the memory. In one implementation, the validator is to: receive design rule information for the one or more multiplexers, the design rule information referencing the contention set; analyze, using the design rule information, a user bitstream against the contention set at a programming time of the apparatus, the user bitstream for programming the one or more multiplexors; and provide an error indication responsive to identifying a match between the user bitstream and the contention set.

A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.

A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.

A secrecy system and a decryption method of on-chip data stream of nonvolatile FPGA are provided in the present invention. The nonvolatile memory module of the system is configured to only allow the full erase operation. After the full erase operation is finished, the nonvolatile memory module gets into the initial state. Only the operation to the nonvolatile memory module under the initial state is effective, and thereby the encryption region unit is arranged in the nonvolatile memory module. Only the decryption data written into the encryption region unit under the initial state can make the nonvolatile memory module to be readable, so that the decryption of the system is finished, which greatly improves the secrecy precision.

Apparatuses, systems, and methods for communication interfaces of a programmable part. In at least one embodiment, one or more communication interfaces are secured to a top side of a programmable part to provide programmable access to the programmable part after installation on a printed circuit board (PCB), the one or more communication interfaces to be selectively disabled based, at least in part, on a status of the programmable part.

Provided are a method of dynamically configuring a FPGA and a network security device. The network security device includes a CPU and at least one FPGA coupled with the CPU. The CPU generates a configuration entry for a target FPGA in response to a user instruction. The configuration entry includes a classification number and a configuration content for the target FPGA. The CPU sends the configuration entry to each FPGA coupled with the CPU, Each FPGA obtains its own classification number, compares its own classification number with the classification number in the configuration entry, and stores the configuration content when the own classification number the same with the classification number in the configuration entry.

Provided are a method of dynamically configuring a FPGA and a network security device. The network security device includes a CPU and at least one FPGA coupled with the CPU. The CPU generates a configuration entry for a target FPGA in response to a user instruction. The configuration entry includes a classification number and a configuration content for the target FPGA. The CPU sends the configuration entry to each FPGA coupled with the CPU, Each FPGA obtains its own classification number, compares its own classification number with the classification number in the configuration entry, and stores the configuration content when the own classification number the same with the classification number in the configuration entry.

An integrated circuit includes: one or more protected circuits; a license control circuit configured to request, from a license issuer, a license for activating the one or more protected circuits, the license request having a seed value; and a cryptographic circuit configured to verify the authenticity of a license received from the license issuer based on the seed value, wherein the license control circuit is configured to impose a validity limit on the received license, and to request a new license from the license issuer before the validity limit of the received license.

An integrated circuit includes: one or more protected circuits; a license control circuit configured to request, from a license issuer, a license for activating the one or more protected circuits, the license request having a seed value; and a cryptographic circuit configured to verify the authenticity of a license received from the license issuer based on the seed value, wherein the license control circuit is configured to impose a validity limit on the received license, and to request a new license from the license issuer before the validity limit of the received license.